- From: John Franks <john@math.nwu.edu>
- Date: Tue, 14 Apr 1998 11:44:26 -0500 (CDT)
- To: http-wg@cuckoo.hpl.hp.com
On Mon, 13 Apr 1998, Dave Kristol wrote: > > 3.2.3 The Authentication-Info Header > > cnonce and qop are used in the calculation of response-digest. The > client is not required to send either cnonce= or auth=. So I assume > (correct?) that the null string is used for values for omitted > attributes in the calculation. > > If (to use cnonce as the example) cnonce was omitted, should > Authentication-Info omit cnonce, or should it send cnonce=""? Same > question for auth. > It might be better to say that Authentication-Info should only be sent if qop (and hence cnonce) are present. Another question: Unless I am mistaken, at one point in the long sequence of digest drafts, the Authentication-Info header could be supplied by either the server or the client. It would be useful for the client to be able to supply the digest of POSTed data or a file which is PUT. Being able to assure the integrity of client supplied data would be very useful. Did this fall through the cracks, or am I just missing this functionality somewhere in the draft? John Franks john@math.nwu.edu
Received on Tuesday, 14 April 1998 09:47:47 UTC